In information technology, attackers use stolen credentials to reuse and move laterally in the network from computer to computer. The term Pass-the-Hash (PtH) attack involves using a technique in which an attacker captures account logon credentials on one computer and then uses those credentials to authenticate against other computers in the network. PtH is one of the popular attack method used by attackers to move laterally inside the network.
Operating systems typically generate password hashes, which are a one-way hash of password text to hash value. The one-way hash may be used on behalf of the user to authenticate with a server. The host operating system stores the generated password hashes, tickets, etc., in local system memory or a disk. Even if the user logs off, the operating system leaves a residual entry, which can be reused.
An attacker may steal the hashes and tickets and reuse them to authenticate with the server. The PtH is one specific form of credential theft and there are other forms of reuse attacks vectors such as stealing Kerberos Ticket Granting Tickets (TGTs), etc. The goal of the attacker is to obtain domain administrator account, high privilege service accounts, local administrator accounts, etc., so that the attacker can get access to multiple systems.
The systems and methods disclosed herein provide an improved approach for preventing PtH and other attacks that include theft of stored credentials.